RFC3161 does not define a specification for the API path of a TSA, only standardizing the input and output as timestamp request and response structures. The Sigstore TSA implementation defines the path to request timestamps as api/v1/timestamp.
In order to support arbitrary TSAs, we need to use a custom client that a) uses the provide URL with both the host and path, b) takes in a timestamp request, and c) parses a returned timestamp response.
RFC3161 does not define a specification for the API path of a TSA, only standardizing the input and output as timestamp request and response structures. The Sigstore TSA implementation defines the path to request timestamps as
api/v1/timestamp
.As discussed in https://github.com/sigstore/sigstore-go/pull/187, the current timestamp authority client, which comes from generated code in sigstore/timestamp-authority, only supports the Sigstore TSA implementation. When a URL is provided to the client, it is truncated to only the URL host, and then the API path above is appended.
In order to support arbitrary TSAs, we need to use a custom client that a) uses the provide URL with both the host and path, b) takes in a timestamp request, and c) parses a returned timestamp response.
We have implemented this already in Cosign as part of https://github.com/sigstore/cosign/pull/2708:
I would recommend we upstream this client to sigstore/timestamp-authority or duplicate it in sigstore/sigstore-go.